What privacy procedures, practices and systems do you need to implement?: Part 1

facebook Twitter LinkedIn RSS

As most readers are undoubtedly aware, the countdown is on for organisations to finalise preparations for the biggest changes in privacy laws since 1988.

In two weeks, amendments to the Privacy Act will see the introduction of a raft of new requirements on how personal, sensitive and health information is collected and used.

A central feature of the new laws is that organisations must have procedures, practices and systems, to ensure compliance with each of the 13 Australian Privacy Principles (APPs).

So, what does that mean? It all sounds pretty vague.

This is where the APP guidelines, which were published in final form this week, come in.  These guidelines outline the mandatory requirements of the APPs, how the regulator (Office of the Australian Information Commissioner or OAIC) will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.

Basically, if you are serious about complying with the new privacy laws, you need to read these guidelines because they explain important things like how the OAIC will interpret the term “procedures, practices and systems”.

So, here is a summary of what the guidelines say about this issue.

  • APP 1.2 imposes a distinct and separate obligation upon an APP entity to take proactive steps to establish and maintain internal  practices, procedures and systems that ensure compliance with the APPs.
  • The obligation is a constant one.
  • An entity should consider keeping a record of the steps taken to comply with APP 1.2, in order to demonstrate that personal information is managed in an open and transparent way.
  • An entity is not excused from implementing particular practices, procedures or systems by reason only that it would be inconvenient, time-consuming or impose some cost to do so.

The following are given as examples of practices, procedures and systems that an APP entity should consider implementing.

  • Procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction or de-identification.
  • Security systems for protecting personal information from misuse, interference and loss and from unauthorised access, modification or disclosure (such as IT systems, internal access controls and audit trails).
  • A commitment to conducting a Privacy Impact Assessment (PIA) for new projects in which personal information will be handled, or when a change is proposed to information handling practices.
  • Procedures for identifying and responding to privacy breaches, handling access and correction requests and receiving and responding to complaintsand inquiries.
  • Procedures that give individuals the option of not identifying themselves and remaining anonymous, or of using a pseudonym, when dealing with the entity in particular circumstances.
  • Governance mechanisms to ensure compliance with the APPs (such as designated privacy officers and regular reporting to the entity’s governance body).
  • Regular staff training and information bulletins on how the APPs apply to the entity, and its practices, procedures and systems developed.
  • Appropriate supervision of staff regularly handling personal information, and reinforcement of the entity’s practices, procedures and systems.
  • Mechanisms to ensure that agents and contractors in the service of, or acting on behalf of, the entity comply with the APPs.
  • A program of proactive review and audit of the adequacy and currency of the entity’s APP Privacy Policy and  practices, procedures and systems related to handling personal information.

The reality is, despite no less than 10 examples of providing practices, procedures and systems, the obligation still seems a little vague.

It’s not really until you put all these practices, procedures and systems into a picture that you start to see that what the privacy laws require is a fully integrated corporate governance infrastructure where key parts of a Privacy Program link with other functional areas and governance programs.

CS Privacy


While the integration with some other governance programs such as Complaints Handling and Compliance are obvious, it is the integration with the Human Resources and Work Health and Safety functions that might not be so obvious at first glance.

In Part 2 of this blog we will look at the types of HR and WHS policies that an organisation should be implementing in order to ensure compliance with the Privacy Laws.

Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?

Financial Services Updates

Financial Services Updates